✓ Solved

Under attack, wordpress hacked

Good day,

I have a hole to plug but I'm not sure where to start. I get a ticket of malicious content. When I go to /var/www/somewebsite/ I see there is an extra dir called vim and a whole bunch of new files and dirs under the /var/www/somewebsite/html dir. My current solution is to delete everything in /var/www/somewebsite/ and to run clamav when I booted into rescue mode.

After clamav the following files were quarantined:

-rw-r--r-- 1 www-data www-data 60230 Dec  6 07:22 2index.php.001
-rw-r--r-- 1 www-data www-data 88790 Dec 13 09:06 wp-plugins.php.001.001
-rw-r--r-- 1 www-data www-data 88790 Dec 14 06:04 wp-plugins.php.002.001
-rw-r--r-- 1 www-data www-data 88790 Dec 14 09:04 wp-plugins.php.003 

Today I noticed that in the /var/www/somewebsite/html/ there were two files after I deleted everything in that dir - index.php and .htaccess When I delete them (no errors when deleting), they just pop back immediately.

This is the second site that was attacked. It seems that I have a weakness in my setup? Any advice, please?
(I've config ssh so that only my user can log in using public key)

2 Replies

✓ Best Answer

My suggestion would be to:

  1. Save all your content… both text and graphics using the WP Export tool that is built-in. I'd also save off the Uploads directory in wp-content.

  2. Install WP in a (new) subdirectory

  3. Install the WPs Hide Login and Wordfence plugins.

  4. Change permissions to what WP is recommending (especially for wp-config.php (we use 644).

  5. Change the .htaccess file to redirect to the new subdirectory.

I would assume that they were able to breach your site through the Wordpress admin login page.

Possibly due to a weak or compromised password, Wordpress wasn’t updated recently, a plug-in with a known vulnerability that wasn’t updated, or could possibly be a malicious plug-in since they’re not code reviewed for safety or security by Wordpress.

Since the files keep coming back, that means there is still some malware in your Wordpress site.

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct